Table of Contents

About the Documentation
E Series and JunosE Documentation and Release Notes
Audience
E Series and JunosE Text and Syntax Conventions
Obtaining Documentation
Documentation Feedback
Requesting Technical Support
Policy Management
Managing Policies on the E Series Router
Policy Management Overview
Description of a Policy
Policy Platform Considerations
Policy References
Policy Management Configuration Tasks
Creating Classifier Control Lists for Policies
Classifier Control Lists Overview
Creating or Modifying Classifier Control Lists for ATM Policy Lists
Creating or Modifying Classifier Control Lists for Frame-Relay Policy Lists
Creating or Modifying Classifier Control Lists for GRE Tunnel Policy Lists
Creating or Modifying Classifier Control Lists for IP Policy Lists
Creating Classifier Control List for Only IP Policy Lists
Setting Up an IP Classifier Control List to Accept Traffic from All Sources
Classifying IP Traffic Based on Source and Destination Addresses
Using IP Classifier Control Lists to Match Route Class Values
Creating IP Classifier Control Lists for TCP and UDP Ports
Creating an IP Classifier Control List That Matches the ToS Byte
Creating an IP Classifier Control List That Filters ICMP Echo Requests
Creating IP Classifier Control Lists That Use TCP or IP Flags
Creating IP Classifier Control Lists That Match the IP Fragmentation Offset
Creating or Modifying Classifier Control Lists for IPv6 Policy Lists
Creating or Modifying Classifier Control Lists for L2TP Policy Lists
Creating or Modifying Classifier Control Lists for MPLS Policy Lists
Creating or Modifying Classifier Control Lists for VLAN Policy Lists
Creating Policy Lists
Policy Lists Overview
Statistics Collection for Output Policies on Tunnel Interfaces Overview
Creating Policy Lists for ATM
Creating Policy Lists for Frame Relay
Creating Policy Lists for GRE Tunnels
Creating Policy Lists for IP
Creating Policy Lists for IPv6
Creating Policy Lists for L2TP
Creating Policy Lists for MPLS
Creating Policy Lists for VLANs
Configuring Statistics Collection for Output Policies on Tunnel Interfaces
Creating Classifier Groups and Policy Rules
Classifier Groups and Policy Rules Overview
Policy Rule Precedence
Using Policy Rules to Provide Routing Solutions
Configuring Policies to Provide Network Security
Creating an Exception Rule within a Policy Classifier Group
Defining Policy Rules for Forwarding
Forwarding Based on Next-Hop Addresses for Input IPv4 and IPv6 Policies
Assigning Values to the ATM CLP Bit
Enabling ATM Cell Mode
Enabling IP Options Filtering
Packet Tagging Overview
Creating Multiple Forwarding Solutions with IP Policy Lists
Creating a Classifier Group for a Policy List
Applying Policy Lists to Interfaces and Profiles Overview
Using RADIUS to Create and Apply Policies Overview
Construction of IPv6 Classifiers from the Hexadecimal Ascend-Data-Filter Attribute
Ascend-Data-Filter Attribute for IPv4/IPv6 Subscribers in a Dual Stack
Examples: Using the Ascend-Data-Filter Attribute for IPv4 Subscribers
Examples: Using the Ascend-Data-Filter Attribute for IPv6 Subscribers
Classifier-Specific Statistics Accounting for Classifier Groups Overview
Calculation of Upstream Packet Statistics for Service Accounting
Calculation of Downstream Packet Statistics for Service Accounting
Configuring Classifier-Specific Statistics Accounting for IPv4 and IPv6 Interfaces
Creating Rate-Limit Profiles
Rate Limits for Interfaces Overview
Hierarchical Rate Limits Overview
Hierarchical Classifier Groups
Hierarchical Rate-Limit Profiles
Hierarchical Rate-Limit Actions
Example: Multiple Flows Sharing Preferred Bandwidth Rate-Limiting Hierarchical Policy
Example: Multiple Flows Sharing a Rate Limit Hierarchical Policy
Example: Shared Pool of Additional Bandwidth with Select Flows Rate-Limiting Hierarchical Policy
Example: Aggregate Marking with Oversubscription Rate-Limiting Hierarchical Policy
Color-Aware Configuration for Rate-Limiting Hierarchical Policy
Percent-Based Rates for Rate-Limit Profiles Overview
Policy Parameter Reference-Rate
Specifying Rates Within Rate-Limit Profiles
Specifying Burst Sizes
Using Service Manager with Merged Policies
Policy Parameter Configuration Considerations
Policy Parameter Quick Configuration
Creating Rate-Limit Profiles
One-Rate Rate-Limit Profiles Overview
Creating a One-Rate Rate-Limit Profile
Configuring a TCP-Friendly One-Rate Rate-Limit Profile
Two-Rate Rate-Limits Overview
Creating a Two-Rate Rate-Limit Profile
Setting the Committed Action for a Rate-Limit Profile
Setting the Committed Burst for a Rate-Limit Profile
Setting the Committed Rate for a Rate-Limit Profile
Setting the Conformed Action for a Rate-Limit Profile
Setting the Exceeded Action for a Rate-Limit Profile
Setting the Excess Burst for a Rate-Limit Profile
Setting the Mask Value for MPLS Rate-Limit Profiles
Setting the Mask Value for IP and IPv6 Rate-Limit Profiles
Setting the Peak Burst for Two-Rate Rate-Limit Profiles
Setting the Peak Rate for Rate-Limit Profiles
Setting a One-Rate Rate-Limit Profile
Setting a Two-Rate Rate-Limit-Profile
Bandwidth Management Overview
Examples: One-Rate Rate-Limit Profile
Examples: Two-Rate Rate-Limit Profile
Examples: Rate-Limiting Individual or Aggregate Packet Flows
Rate-Limiting Traffic Flows
Merging Policies
Merging Policies Overview
Resolving Policy Merge Conflicts
Merged Policy Naming Conventions
Reference Counting for Merged Policies
Persistent Configuration Differences for Merged Policies Through Service Manager
Policy Attachment Sequence at Login Through Service Manager
Policy Attachment Rules for Merged Policies
Error Conditions for Merged Policies
Merging Policies
Parent Group Merge Algorithm
Overlapping Classification for IP Input Policy
Starting Policy Processing
Processing the Classifier Result
Processing the Auxiliary-Input Policy Attachment
Policy Actions
Creating Hierarchical Policies for Interface Groups
Hierarchical Policies for Interface Groups Overview
External Parent Groups
Example: Configuring Hierarchical Policy Parameters
Hierarchical Aggregation Nodes
RADIUS and Profile Configuration for Hierarchical Policies
Interface Profiles for Service Manager Overview
Hierarchical Policy Configuration Considerations
Example: Hierarchical Policy Quick Configuration
Example: Configuring Hierarchical Policies
Example: VLAN Rate Limit Hierarchical Policy for Interface Groups Configuration
Example: Wholesale L2TP Model Hierarchical Policy Configuration
Example: Aggregate Rate Limit for All Nonvoice Traffic Hierarchical Policy Configuration
Example: Arbitrary Interface Groups Hierarchical Policy Configuration
Example: Service and User Rate-Limit Hierarchy Overlap Hierarchical Policy Configuration
Example: Percentage-Based Hierarchical Rate-Limit Profile for External Parent Group
Example: PPP Interfaces Hierarchical Policy Configuration
Policy Resources
Policy Resources Overview
FPGA Hardware Classifiers
CAM Hardware Classifiers Overview
Size Limit for IP and IPv6 CAM Hardware Classifiers
IP Classifiers and Size Limits
IPv6 Classifiers and Size Limits
Creating and Attaching a Policy with IP Classifiers
Examples: Variable-Sized CAM Classification for IPv6 Policies
144-bit IPv6 Classification Example
288-bit IPv6 Classification Example
576-bit IPv6 Classification Example
Performance Impact and Scalability Considerations
Performance Impact
Scalability Considerations
CAM Device Block Size and CAM Entry Allocation
Number of CAM Entries Per Allocation and Free Entries
Software Classifiers Overview
Interface Attachment Resources Overview
Enabling the Policy Resources Exhaustion Trap
CAM Hardware Classifiers and Interface Attachment Resources
Range Vector Hardware Classifiers and Interface Attachment Resources
Detection of Corruption in the Statistics FPGA and System Operations on Detecting Corruption
Actions Performed on Detecting Parity Error
Configuring the Router to Perform Various Actions on Detecting Parity Error in the FPGA User and Policy Accounting Statistics
Monitoring Policy Management
Monitoring Policy Management Overview
Setting a Statistics Baseline for Policies
Monitoring the Policy Configuration of ATM Subinterfaces
Monitoring Classifier Control Lists
Monitoring Color-Mark Profiles
Monitoring Control Plane Policer Information
Monitoring the Policy Configuration of Frame Relay Subinterfaces
Monitoring GRE Tunnel Information
Monitoring Interfaces and Policy Lists
Monitoring the Policy Configuration of IP Interfaces
Monitoring the Policy Configuration of IPv6 Interfaces
Monitoring the Policy Configuration of Layer 2 Services over MPLS
Monitoring External Parent Groups
Monitoring Policy Lists
Monitoring Policy List Parameters
Monitoring Rate-Limit Profiles
Monitoring the Policy Configuration of VLAN Subinterfaces
Verifying Statistics Collection for Output Policies on Tunnel Interfaces
Packet Flow Monitoring Overview
Monitoring the Detection of Corrupted FPGA Statistics Settings
Displaying the Slot Numbers with Corrupted Statistics FPGA for AAA-Based Policy Accounting
Monitoring the Utilization of Interface Attachment Resources
Monitoring the Status of a Policy Resources Trap
Packet Mirroring
Packet Mirroring Overview
Packet Mirroring Overview
Comparing CLI-Based Mirroring and RADIUS-Based Mirroring
Configuration
Security
Application
Packet-Mirroring Terms
Packet Mirroring Platform Considerations
Packet Mirroring References
Configuring CLI-Based Packet Mirroring
CLI-Based Packet Mirroring Overview
Enabling and Securing CLI-Based Packet Mirroring
Reloading a CLI-Based Packet-Mirroring Configuration
Using TACACS+ and Vty Access Lists to Secure Packet Mirroring
Using Vty Access Lists to Secure Packet Mirroring
CLI-Based Packet Mirroring Sequence of Events
Configuring CLI-Based Packet Mirroring
Configuring Triggers for CLI-Based Mirroring
Configuring the Analyzer Device
Configuring the E Series Router to Support CLI-Based Mirroring
Example: Configuring CLI-Based Interface-Specific Packet Mirroring
Example: Configuring CLI-Based User-Specific Packet Mirroring
Configuring RADIUS-Based Mirroring
RADIUS-Based Mirroring Overview
RADIUS Attributes Used for Packet Mirroring
RADIUS-Based Packet Mirroring Dynamically Created Secure Policies
RADIUS-Based Packet Mirroring MLPPP Sessions
Configuring RADIUS-Based Packet Mirroring
Configuring the RADIUS Server
Disabling RADIUS-Based Mirroring
Configuring the Analyzer Device
RADIUS-Based Mirroring Sequence of Events
Configuring Router to Start Mirroring When User Logs On
Configuring Router to Mirror Users Already Logged In
Managing Packet Mirroring
Avoiding Conflicts Between Multiple Packet Mirroring Configurations
Understanding the Prepended Header During a Packet Mirroring Session
Format of the Mirror Header Attributes
8-Byte Format
4-Byte Format
Resolving and Tracking the Analyzer Device’s Address
Using Multiple Triggers for CLI-Based Packet Mirroring
Optimizing Packet Mirroring Performance
Determine Traffic Loads
Establish Resource Guidelines
Logging Packet Mirroring Information
Using SNMP Secure Packet Mirroring Traps
Additional Packet-Mirroring Traps for CALEA Compliance
Packet Mirroring Trap Severity Levels
Configuring SNMP Secure Packet Mirroring Traps
Capturing SNMP Secure Audit Logs
Monitoring Packet Mirroring
Monitoring Packet Mirroring Overview
Monitoring CLI-Based Packet Mirroring
Monitoring the Packet Mirroring Configuration of IP Interfaces
Monitoring Failure Messages for Secure Policies
Monitoring Packet Mirroring Triggers
Monitoring Packet Mirroring Subscriber Information
Monitoring RADIUS Dynamic-Request Server Information
Monitoring Secure CLACL Configurations
Monitoring Secure Policy Lists
Monitoring Information for Secure Policies
Monitoring SNMP Secure Packet Mirroring Traps
Monitoring SNMP Secure Audit Logs
Index
Index